[sunshine-o]

Yes, I believe the Eclipse Foundation and others lobbied for that.

But here is the problem: if you now have a small business selling service around free software you are now facing the full wrath of the regulation and legal risk. In the end only IBM, RedHat, Microsoft and big companies have the strength and the resources to monetize open source it but smaller actors don't. And it is becoming very difficult and risky even for most ~100 employees companies.

So you still have the right to develop and use free software but you can't really make a living out of it anymore unless you work for RedHat or others.

And yes it makes no sense. The EU is doing to the software industry what they did to agriculture a few decades ago.

[immibis]

Is there a specific risk you're worried about, or just the general risk of doing something wrong that's inherent to all business and is typically mitigated by insurance and by using a limited liability company?

[sunshine-o]

So insurance did not offer much before the CRA. They will probably develop this market but it is gonna cost a lot probably and will be complex and imperfect.

Of course an LLC ultimately protect you but you have just multiplied by 10 or 100 the risk of blowing up your livelihood and the one of your employees.

Those regulations are just a nightmare, with "no-fault" liability, a simplified the burden of proof for the claimant, and are just very difficult to decrypt or applied to real world situations in an evolving landscape.

So unless you are big and have legal resources to work on it people are probably not gonna bother or give up.

Anyway your costs and risks have exploded and you are still competing with let's say Microsoft Azure.

[immibis]

Have you talked to an insurer? Business insurance requires a customized quote.

You didn't really answer the question. Do you have a specific risk in mind, or are you only worried about the risk of a random fuckup which all businesses face?

[sunshine-o]

Yes so the problem is this is not about random f-up, the CRA is full of buzzwords concepts like "Cyber security by design", "Cyber security by default" "according to risks" which will be evaluated by the courts if you end up there.

Every software you provide have to be secure and if not you are liable for damage. So this is not just a random f-up, and we know how hard security really is in practice.

I also know that when you are a provider of a software most vulnerabilities and risks are usually requested/created by the client who usually exercise pressure on you (especially if you are a small actor). It is often done in a sneaky manner, putting the provider in an impossible situation. You will need to document this the best you can because now you are liable big time.

EDIT: What I mean is I understand they did that to force big manufacturers of IoT device to care more about security. But if you are now a small provider setting up some customized software you fall under the same rules.

[immibis]

So in other words if you provide someone software and it sets their business on fire, you're liable to repay the value of the business you set on fire. Yes, this is how all business relations work. If I sell someone a mango that sets their business on fire I'm liable for that too. Not unique to software. No difference if it's a mango full of genetically modified bacteria that spontaneously combust after a certain time passes, or a server that sends network signals to turn the heating up to 1000 degrees. And in both cases the solution is don't do that.

So I want to know what specific risks you're worried about that are not present in literally 100% of business interactions. Or do you expect software to be exempt from the general principles of liability?

[sunshine-o]

> Or do you expect software to be exempt from the general principles of liability?

Yes.

Have you read the EULA of most of the software you use ?

Any of the open source licenses ?

And this is why the computer world is almost the only thing that really progressed in the last decades.

Because we could take that risk because in most cases nobody was gonna die (medical devices or the ABS in your car are a separate category with other rules).

You do not realize how free from regulations computers have been and this is why you are on HN and probably work in this industry.

We ended up with a fairly acceptable ecosystem where you can either keep your ISP provided router, buy a very suspicious one on Aliexpress, or Nitrokey, Turris (both EU companies) or one with OpenBSD.

Bad regulations will make the last 3 options disappear. That is the sad reality.

[jart]

Open source software is unsecure. It's neither secure or insecure. Securing something means implementing policies like SSO and ACLs. That's not open source's job. Open source gives you a tool and it's your responsibility to secure the thing. It's not the responsibility of open source developers. It can't be. What they strive to do is to not ship something that's known to be insecure.